[Archive Home][Date Prev][Date Next][Index]


"DHS admits screening test violated Privacy Act"

Saturday, December 23, 2006

DHS admits screening test violated Privacy Act
The Associated Press     

WASHINGTON -- The Homeland Security Department admitted Friday it violated
the Privacy Act two years ago by obtaining more commercial data about U.S.
airline passengers than it had announced it would.

Seventeen months ago, the Government Accountability Office, Congress'
auditing arm, reached the same conclusion: The department's Transportation
Security Administration "did not fully disclose to the public its use of
personal information in its fall 2004 privacy notices as required by the
Privacy Act."

Even so, in a report Friday on the testing of TSA's Secure Flight domestic
air passenger screening program, Homeland Security department's privacy
office acknowledged TSA didn't comply with the law. But the privacy office
still couldn't bring itself to use the word "violate."

Instead, the privacy office said, "TSA announced one testing program, but
conducted an entirely different one." In a 40-word, separate sentence, the
report noted that federal programs that collect personal data that can
identify Americans "are required to be announced in Privacy Act system
notices and privacy impact assessments."

TSA spokesman Christopher White noted the GAO's earlier conclusions and
said, "TSA has already implemented or is in the process of implementing each
of the DHS privacy office recommendations."

Congress has been unhappy with TSA's domestic airline screening program for
years -- since it was called CAPPS II before it was tweaked and renamed
Secure Flight. Federal law now bars TSA from implementing a domestic
screening system until the GAO is satisfied it can meet 10 standards of
privacy protection, accuracy and security.

Secure Flight has never passed all those tests, and White said there is no
target date for implementing it. "We are more concerned with getting it
right," White said.

Friday's report reinforced concerns on Capitol Hill.

"This further documents the cavalier way the Bush administration treats
Americans' privacy," said Sen. Patrick Leahy, D-Vt., who is set to become
Senate Judiciary Committee chairman in January. "With this database program,
first they ignored the Privacy Act, and now, two years later, they still
have a hard time admitting it."

Leahy promised the new Congress will try to learn more about how the
administration uses such databases. "Data mining technology has great
potential," Leahy said, "but history shows that without adequate checks and
balances and oversight, misuse and abuse of the public's personal
information will be inevitable."

Characterizing the Secure Flight problems as "largely unintentional,"
Homeland Security's privacy office attributed them to TSA's failure to
revise the public announcement after the test changed.

The privacy office said TSA announced in fall 2004 it would acquire
passenger name records of people who flew domestically in June 2004. Airline
passenger name records include the flyer's name, address, itinerary, form of
payment, history of one-way travel, contact phone number, seating location
and even requests for special meals.

The public notices said TSA would try to match the passenger names with
names on watch lists of terrorists and criminals.

But they also said the passenger records would be compared with unspecified
commercial data about Americans in an effort to see if the passenger data
was accurate. It assured the public that TSA would not receive commercial
data used by contractors to conduct that part of the tests.

But the contractor, EagleForce, used data obtained from commercial data
collection companies Acxiom, Insight American and Qsent to fill in missing
information in the passenger records and then sent the enhanced records back
to TSA on CDs for comparison with watch lists.

This was "contrary to the express statements in the fall privacy notices
about the Secure Flight program," Homeland Security's privacy office
concluded. "EagleForce's access to the commercial data amounted to access of
the data by TSA."

Another procedure originally thought to enhance privacy backfired.
EagleForce augmented the 42,000 passenger name records with similar
variations of the spelling of each first and last name so it asked for
commercial data on 240,000 names. Many of these variations were the actual
names of real people whose records were then put into the test without any
public notice, the report said. Eventually, the three companies supplied
EagleForce with 191 million records, though many were duplicates.

On the Net:

DHS report:


 Do you have an opinion about this story?
Share it with other readers in our CAA Discussion Forums



Current CAA news channel:

Fair Use Notice
This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of political, human rights, economic, democracy and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.html. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. If you have any queries regarding this issue, please Email us at stepheni@cwnet.com